IETF Logo Mail Archive

Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value

"Murray S. Kucherawy" <superuser@gmail.com> Thu, 30 March 2017 08:21 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B87651293E1 for <dmarc@ietfa.amsl.com>; Thu, 30 Mar 2017 01:21:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMPrqBZnsG6y for <dmarc@ietfa.amsl.com>; Thu, 30 Mar 2017 01:21:15 -0700 (PDT)
Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C77B12922E for <dmarc@ietf.org>; Thu, 30 Mar 2017 01:21:14 -0700 (PDT)
Received: by mail-vk0-x22f.google.com with SMTP id s68so45667884vke.3 for <dmarc@ietf.org>; Thu, 30 Mar 2017 01:21:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YzkblhQ2Bnlh62R0uZW426K5ypaoAqDIWAGv681iiC4=; b=CQQ/DAfLso8Km3zQPoFurq9Cz8pzXt2hR6hBuiznC3GCbFMErN4IPRhEt7ktmHVSAs ir/o9/SV6n4Y1QI5Q+UvuXUxIq5lNZKUzZZs5oxCj5I35LypTUc/yQD8ZndCGDaHXrtU zDqwNCKO9ldz3bvruuCMe0JRX3AAJ7o64wwgK44ZZu5L8jYzm7BX02UW0UrpbjAjhP9P 2hhNfMJmPTlP6lGQaPTAQ4IvUIV7muc2XA9CkoyuzfR40FIbMAJ6aWSTZV8TqOFLsTQo hwkh64a/Oy8SzL2DIZQQsrd3gstemrweyCAPxSgnE1WXHUvne3+RsPTauXYqqcrZ0MgL mGhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YzkblhQ2Bnlh62R0uZW426K5ypaoAqDIWAGv681iiC4=; b=akPy/QcpbyTGNm3uGK/zLGPvn84x1qPpNwW1w/+G4zkvHcyf5a2ZZNOsOIGONsj2jQ pXhF/A6buNDv8dJ4dRECR5XJSkopEAX6QTpZHwI1CKS1WSxCIA4L9UBQLdTA3wScWh06 Xcg+kMdf0Eq5kzXFXO8jbwH8dH3AZuQUFOV5CSpyq2ZV1LRzIUKovp4wi1iA9J0YcgPt Di02EN8hSeChVHmcCTqhruzcrZJhl59U7qD0sSGhwWdkjlOfbDZ157m5dkeIerbeb7Gz iBHoHAUXgzAF5AX1P+YbNoL7gL62FP4cEuv9mc2bleSbh+pUd9Wv7t4/Jenlkl6kqMHn CSQQ==
X-Gm-Message-State: AFeK/H2j9qiWFAE2CW+fKUt1dOM4X/cwSCTsJgmtwEMufuf37LkxPC8K6BxmpMCffY3kRlx3BiE2STUzQDwiRg==
X-Received: by 10.176.92.13 with SMTP id q13mr2902405uaf.149.1490862073525; Thu, 30 Mar 2017 01:21:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.130.70 with HTTP; Thu, 30 Mar 2017 01:21:12 -0700 (PDT)
In-Reply-To: <CANtLugOK4tXqA3ztYwchYsc8+t6KhyNj6mvgEu2wzvwKm_rK7A@mail.gmail.com>
References: <CANtLugO_D1Mz_v_341pc5O1mZ7RhOTrFA3+Ob5-onp72+5uRfA@mail.gmail.com> <20170324212304.85346.qmail@ary.lan> <CANtLugOK4tXqA3ztYwchYsc8+t6KhyNj6mvgEu2wzvwKm_rK7A@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 30 Mar 2017 03:21:12 -0500
Message-ID: <CAL0qLwbYCD2nsj62HxjqZ=Wt5oK8W8kbTJ+H5GiMN5M7rMSRAA@mail.gmail.com>
To: Gene Shuman <gene@valimail.com>
Cc: John Levine <johnl@taugh.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="f403043614164d3b14054bee607d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/n1j9N63s9gp2mjAPPWVha69DxWk>
Subject: Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 08:21:18 -0000

I have to catch up on the rest of this thread still, but I wanted to chime
in here to get started:

On Sun, Mar 26, 2017 at 5:23 PM, Gene Shuman <gene@valimail.com> wrote:

> Ah that had slipped my mind & is a good point.  However, I think the issue
> here is generally that ARC is more complex protocol than DKIM and therefore
> it's more important to reduce ambiguity & increase standardization while we
> have the chance.  I think this is generally a good idea from a security
> perspective, however this is mostly relevant with respect to testing &
> validation, as ensuring cross-compatibility is a much bigger challenge.
> It's even more important than it was with DKIM to have a test suite that
> can verify signing behavior.  If we don't agree on any sort of standard, a
> test suite will need to select a preferred format for the ARC headers &
> will fail all implementations that don't meet this form.  We've discussed
> this with Murray, and he agrees with this conclusion.
>

I agree that it's impossible to design a signer test suite that confirms
correct output, without doing crytpo checks of its own with a known-good
verifier, unless we nail down the syntax the output will use.  For this to
work, we'd have to mandate a lot of things, including at least these:

- the order of the tags as presented to the hash algorithm
- which tags will be present (note that many are not required, including
"t=")
- the specific values they will all contain
- for ARC-Message-Signature, which canonicalization will be used
- the spacing between the tags; since "relaxed" header canonicalization
compresses spaces but does not add them, "a=foo;b=foo" is not the same as
"a=foo; b=foo", but "a=foo;\r\n\tb=foo" is
- similarly, how signature fields will be wrapped (if at all)
- what signing key will be used
- the body content to be signed
- the header content to be signed
- the set of header fields that will be signed (which becomes "h=")

It certainly removes many variables to nail down a test in this way, and
it's faster to run tests that don't require crypto functions or a
known-good verifier to confirm.  To be honest, I can't remember if we ever
considered this sort of approach during the development of DKIM.  I don't
think we did, and after an admittedly brief search I couldn't find anything
in the archives.  I think when canonicalization was developed, it was plain
that tag order wouldn't matter to the verifier, and that was sort of the
end of it.

The obvious counter-argument here is that DKIM has been successful without
ever being strict about what a signature looks like.  Our interop event in
Dallas way-back-when consisted solely of implementer "A" sending mail at
implementer "B" and seeing what passed and what failed, and digging into
the failure cases to see if they're bugs in code or bugs in the
specification.  Independent of interop events, various implementers also
set up auto-responders that would verify an arriving message, then re-sign
it and send it back so the originator can test its verification.  Any
failure compelled us to implement debugging tools and exchange information
so we could work out the kinks, either in the spec or in the
implementation(s), until all participants were consistent.  We reached a
point where we had organically developed a bunch of "good" implementations
based on the fact that they all appeared to agree with each other.

Since the canonicalization algorithms in ARC are the same as the ones in
DKIM, and the tag=value and key syntaxes are also the same, we've got a lot
of concepts and code being recycled here.  I'm not sure how much new
fragility we should really be concerned about.  I'll know more as I
complete my implementation.

Paul's point that video and security protocols are traditionally much more
rigid is of course quite true, and I presume he's thinking of things like
the headers of DNS, IP, TCP, etc.  But I note that those are based on a
different model where fields have fixed sizes and predictable positions.
That's antithetical to email, however, where the fields come in arbitrary
order, and the only way you know what a given header means is that its name
precedes its value.  There can even be duplication.  And from one MTA to
another, header fields can be added, removed, or rearranged.  That's
impossible in a rigid header definition, so it's perhaps no surprise that
this community isn't exactly warm to the idea.

The question, then, is whether this is a desirable path to follow: Is the
value of a quick evaluation of a deterministic signer high enough to
surrender the flexibility of DKIM style of tag spacing and ordering?  And,
perhaps more importantly, what's the cost of being wrong later?

-MSK

v2.23.0 | Report a Bug | By Email